Kerberos authenticatino and ldap authorization

RJ45 rj45 at
Wed Mar 7 09:43:16 UTC 2007

there are many difficulties and YES there is the documentation
on FreeBSD handbook but it does not helped me so much I Still ahve 

I isntalled MIT krb5 also and I Am using kadmin from MIT
to manage krb5 server.

First problem

kadmin:  ktadd -k /etc/krb5.keytab host/host.domain
kadmin: Unsupported key table format version number while adding key to 

I can't undertand this message i touched /etc/krb5.keytab
but via kadmin it is unable to export the krb5 key I added before

  addprinc -randkey host/host.domain

i also chmod 777 krb5.keytab nothing to do

at the end I exported it from the kdc and copied it by hand in
/etc/krb5.keytab on my client FreeBSD box, but I do not know
if in this way it will work.

anyway now I have another problem.
I am not able to configure ssh to login via kerberos.

I tryed everything

KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes

Then I changed /etc/pam.d/sshd

# auth
auth            required          no_warn
auth            sufficient             no_warn no_fake_prompts
auth            requisite       no_warn allow_local
auth            sufficient             no_warn try_first_pass
#auth           sufficient              no_warn try_first_pass
auth            required             no_warn try_first_pass

# account
account         required
account         required
account         required

# session
#session        optional
session         required

# password
password        sufficient             no_warn try_first_pass
password        required             no_warn try_first_pass

and ssh won't authenticate via kerberos:

Mar  7 10:27:24 bastionbox1 sshd[1019]: Invalid user myself from 
Mar  7 10:27:33 bastionbox1 sshd[1019]: error: PAM: authentication error 
for illegal user myself from mylapdop.domain

I must miss something I do not know what...

Actually I do not think this scenario on BSD users is commonly used,
and I Cannot find documentation to help myself, anyway I need this 
scenario that was implemented on Linux before.
I do not want to use Linux anyway for this porpouse (bastion SSH
box for public login via krb5/ldap)
At the end anyway the scenario needs to be krb5 for authentication
and LDAP for authorization

For now I am not able to authenticate via krb5

any hints ?



On Tue, 6 Mar 2007, Tillman Hodgson wrote:

> On Tue, Mar 06, 2007 at 10:07:57AM -0700, RJ45 wrote:
>> for example I would like to installa MIT krb5 implementation from ports
>> instead of using heidmal default this because the kerberos server
>> on my network is a MIT server and I can't use kadmin on FreeBSD
>> to administrer the kerberos server remotely using heidmal implementation.
>> Anyone has experience of MIT krb5 implementation on FreeBSD ?
> The handbook has a chapter on setting up Kerberos, albeit focused on Heimdal.
> In section 14.8.6 it notes that the kadmin protocol differs between
> Kerberos implementations -- you have to use the MIT kadmin to administer
> a remote MIT KDC.
> Other than the kadmin bits (which are fairly different between the two
> but isn't used by end-users anyway), it's pretty much transparent to a
> Kerberos-enabled workstation which implementation it's using. I
> typically install both (to different paths to avoid file conflicts)
> because I like using the newest Heimdal rather than the one in base and
> also because the included client applications differ. For example, MIT
> has Kerberos rsh whereas the base Heimdal doesn't for some of the
> platforms that I use.
> If you run into any specific issues when setting it up, please post back
> to the list and cc me and I'll give you a hand.
> -T
> -- 
> "I once bought a cellphone that had a little sticker on the box that said
> 'DO NOT EAT PACKAGING MATERIAL'. There went another freebie snack at the
>  office."
>    - A.S.R. quote (Andreas "Buzh" Skau)
> _______________________________________________
> freebsd-questions at mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at"

More information about the freebsd-questions mailing list